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Abstract 

Smart card based authentication schemes are used in various fields like e-banking, e-commerce, 
wireless sensor networks, medical system and so on to authenticate the both remote user and the 
application server during the communication via internet. Recently, Karuppiah and Saravanan pro¬ 
posed an authentication scheme which is based on password and one-way cryptographic hash function. 
They have used a secure identity mechanism i.e., users’ and server’s identity are not public. Thus, 
the user and the server do not send their identity directly to each other during communications. In 
this paper, we have found out that their scheme does not overcome the reply attack and also there is 
a fault in the login phase, which makes their scheme is not perfect for practical use. 
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1 Introduction 

Smart card based mutual authentication system provides a facility where both communicators can 
verily each other during the online services. For this purpose, in single server environment based 
authentication system, the users do their registration for one time to a server to get services from 
that server for several times. After registration, each user gets his/her smart card form the server. 
By using their smart card, users get services from the server via public channel through internet. A 
good user authentication scheme should follow the following properties: 

• Efficient login phase so that, the smart card can recognize the wrong inputs from the users 
before going to send login message to the server. 

• Users can freely change their password with or without help from the server. 

• The strong mutual authentication should satisfy. 

• Perfect forward secrecy should hold so that, the computed shared session key is only known to 
the user and the server during that communication session. 

• Communication overhead must be less so that, the authentication scheme provides good effi¬ 
ciency. 

• The design scheme should resist the all possible attacks such as, insider attack, guessing attack, 
smart card stolen attack, forgery attack, man-in-middle attack and so on. 

There are many password based authentication systems [D ED CUE] in the literature. In 2012, Chen 
et al. [5] proposed a robust smart card-based remote user password authentication scheme. In 2013, 
Kumari and Khan [B] showed that Chen et al.’s scheme cannot resist impersonation attacks and insider 
attacks, and they then presented an improved scheme. In the same year, Li et al. 7] also showed 
that Chen et al.’s scheme cannot ensure perfect forward secrecy and that it cannot detect incorrect 
passwords in the login phase, and they then proposed an improved scheme. Recently, Karuppiah and 
Saravanan [8[ proposed a password based user authentication scheme in single server environment to 
provide the robustness of the authentication system. They claim that their scheme follows the above 
properties which make their scheme better than related schemes. But, in this paper, we have shown 
that there is a fatal error in login phase of their scheme so that, their scheme is no more applicable 
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for practical use. Besides, we have pointed out the disadvantage in login phase which may mount 
replay attack on their scheme. 

The rest of the paper is organized as follows: Section [5] presents the brief review of Karuppiah 
and Saravanan’s Scheme. Section [3] shows the weaknesses of Karuppiah and Saravanan’s Scheme. 
Finally, the conclusion appears in Section [4] 

2 Review of Karuppiah and Saravanan’s Scheme 

In this section, we will briefly discuss the Karuppiah and Saravanan’s scheme [ 8 ], in which we try 
to use the same notations as presented in their paper. Their scheme consists of five phases namely, 
initialization phase, registration phase, login phase, authentication phase and password change phase. 

2.1 Initialization Phase 

A server S selects two large prime numbers p and q. Further, the server chooses a generator g of a 
finite field in Zp. Then, the server computes n = px q and 4>{n) = (p — 1) x (q — 1). Then, the server 
chooses an integer number e such that gcd[e,4>{n)) = 1 and 1 < e < 4>(n). The server computes an 
integer d such that d = e _1 mod 4>{n) and y = g d mod n. Finally, the server declares y as a public 
key of it and keeps < d, p, q > as secret. 

2.2 Registration Phase 

When a new user Ui wants to register to access the server S, this phase is invoked. The user U t 
freely selects his/her identity IDi, password PWDi and a random number b. Then, the Ui computes 
h(b © PWDi) and sends {IDi, h(b © PWDi)) to the server S for registration. After receiving the 
registration message {IDi,h(b © PWDi)), the server verifies credential of identity IDi. If it finds 
IDi in its database, that means, IDi is registered with some other user, and the server asks for 
a new identity to the user Ui. Otherwise, the server S issues a smart card that contains public 
parameters {Cin, Bi, g,y,n, h{-)) for the user Ui after computing Bi = h{I Di) h ^ b ® PWDi ' > mod n and 
Cin = y h ( d \\ T R\\ ID i)+ h ( b ® PWD i) mod n, where d and Tr are the server’s secret key and the registration 
time and date of user Ui respectively. Further, the server creates an entry for Ui in the database and 
stores an encrypted form of ( IDi,Tn ) in this entry. Finally, the S sends the smart card to the user 
Ui. After getting the smart card, the user inserts the random number b into the memory of the smart 
card. 


2.3 Login Phase 

In this phase, the user inserts his/her smart card to the terminal and provides his/her identity ID* 
and password PWD* to the terminal. The terminal or smart card computes the following steps: 

1. The smart card computes BI = h(ID*) h< ' b ® PWDi ^ mod n and compares Bi == If it holds 
good, the smart card computes the following steps; otherwise rejects the user Ui. 

2. The smart card computes B 2 = g 3 mod n, B 3 = y 3 mod n, C = IDi © h(B 2 © B 3 ), C' n = 
Cin x y~ h ( b ® PWD i'> mod n (= y h C\\ T R\\ ID i) mo d n ) anc i M — h{C[ n || C), where a random 
number j is generated by the smart card. Then, the smart card sends a login request message 
(B 2 , M, C) to the server S. 

3. After receiving the login request message (B 2 , M,C) from the user Ui, the server S computes 
B' 3 = (B 2) 11 mod n (= y 3 mod n), derives IDi = C®h{B 2 ©B 3 ) and checks the validity of the 
user Ui. If it is valid proceeds to the next steps; otherwise rejects the login message. 

4. The server S computes C* = y h( - d \\ T R\\ ID t) mo d nt m* = h(C* || C) and checks M* == M. If 
the equality holds, proceeds to next steps; otherwise rejects the login message. 

5. The server S computes t = h(T s © IDi © ID a © B 3 ), C\ = ( C*) r+t mod n, where T s and r 
are the current time and date of the server S and a random number generated by the server S. 
Then, the server sends a reply message A' = ( h{C\),r,T s ) to the user Ui at time T s . 

6 . After receiving the reply message X = {h{C\),r,T s ) from the server S at time T, the smart 
card checks whether (T — T s ) < AT or not. If it holds good, the smart card proceeds to next; 
otherwise rejects the reply message of the server S. 


2 


7. The smart card computes t* = h(T s © IDi © ID„ © B 3 ), C 2 = (C' in ) r+t mod n and checks 
h(C 2 ) == h(C 1 ). If it holds good, the smart card proceeds to next; otherwise rejects the reply 
message of the server S. 

8. The smart card computes Mi = ( h(C 2 © IDi)) T mod n, where T is the current time and date 
of the smart card reader clock. The smart card sends a message Z = (Mi, T) to the server S. 

2.4 Authentication Phase 

After receiving the message Z = ( M\,T ) from the user Ui at time T a , the server checks whether 
(T a —T)< AT or not. If it holds good, the server performs the following steps; otherwise rejects the 
the message Z = { M\,T ) of the user Ui. 

1. The server computes M 2 = (h(Ci ffi IDi)) T mod n and checks Mi == M 2 . If it is true, the 
server accepts the login request and grants permission to the user Ui', otherwise, the server 
rejects the login request. 

2. After successful mutual authentication, the user Ui and the server S independently compute the 
common session key as S^ ey = h(IDi || IDs || C 2 ) and Sfc ey = h(IDi || IDs || Ci) respectively. 

3 Cryptanalysis of Karuppiah and Saravanan’s Scheme 

In this section, we will analyze the Karuppiah and Saravanan’s scheme [8] and will demonstrate the 
disadvantage and the faulty login phase. 

3.1 Faulty Login Phase 

In the Karuppiah and Saravanan’s scheme, identity IDi of the user Ui and also the identity ID S of 
the server S are not public that means, user Ui ’s identity IDi is not stored into his/her smart card 
directly and also the user Ui does not send his/her identity IDi directly with the login message to 
the server S in login phase. For this purpose, to verify the legitimate user Ui, the server S stores an 
encrypted form of ( IDi,Tn ) in its database during the registration phase and when a login message 
is received by the server, it computes B 3 = (B 2 ) d mod n (= y 3 mod n), derives IDi = C®h(B 2 ©- 63 ) 
and checks whether the derived IDi is present into its database or not. If the derived IDi is found 
into its database, the server computes the remaining steps of the login phase; otherwise, rejects the 
user Ui. The above procedure shows that unless the identity IDi of the user Ui is derived, the server 
can not recognize the user Ui. Similarly, to recognize the server S with its identity ID a , the user 
must know the identity ID S of the server. But, there is no procedure to know server’s identity for 
the user Ui because, the ID S is not public and also the server S does not send ID S with the reply 
message directly to the user U, in the login phase. The server sends reply message {h(Ci),r,T a } by 
computing Ci = ( C*) r+t mod n, where t = h(T a © IDi © ID S © B 3 ), r is a random number chosen 
by the server and T s is the current time and date of the server S. According to the Karuppiah and 
Saravanan’s scheme, after receiving the reply message (h(Ci),r,T a ) from the server S, the user Ui 
computes t* — h(T s © IDi © ID S © B 3 ), where T a is known to the user from the reply message, Ui 
knows his/her identity IDi, B 3 (= y J mod n) is also known to the user because, he/she computes this 
parameter during the login phase and ID a is unknown to the user Ui. Though the user Ui does not 
know ID a , he/she computes t* = h{T a (BlDi © ID a ffi B 3 ). This is a fatal error of the Karuppiah and 
Saravanan’s scheme. Thus, the Ui can not compute t* = h(T a © IDi © ID a ffi B 3 ) without knowing 
ID a . Hence, the Karuppiah and Saravanan’s scheme is not perfect for practical use. 

3.2 Disadvantage 

The login request message (B 2 , M,C) is depended on only a random number j generated by the 
smart card as B 2 = g 3 mod n, C = IDi ffi h(i ?2 ffi B 3 ) (= IDi © h{g 3 mod n®y 3 mod n), as B 3 = 
y 3 mod n ) and M = h[C' in || C) (= h(y h ^ d W T R\\ ID i) moc j n || C)), where Tr is the registration time 
and date of the user Ui. Tr is a fixed parameter because, one user can register to the server only one 
time with his/her identity IDi. But, the user can access the server for several times after performing 
the valid registration procedure only one time. We assume that the previous login request message 
of the previous session between a user Ui and the server S is stored in the server end. After getting 
login request message form Ui for a new session, S checks the current login request message with 
previous login request message. If they are same, S rejects the current login request message to avoid 
replay attack. An adversary traps the login request messages for some sessions ST\, ST 2 ,..., ST m 
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with STi < ST2 < • • • < ST m , where STi < STj means ST; is a pervious session than STj. Suppose, 
the adversary sends the trapped login message to S in any session from {STi, ST2, ..., ST m _i} to 
the next session, say, ST m + 1 . S accepts the login request message of the adversary. To resist replay 
attack in Karuppiah and Saravanan’s scheme, the server has to store all the previous login request 
messages for all the users to check with the current login request message. It is not an efficient 
technique where server takes more time to search and compare the messages only to resist reply 
attack. 


4 Conclusion and Future Scope 

We have shown that Karuppiah and Saravanan’s scheme has a fatal error in login phase so that their 
scheme is impractical for real world application. Further, we have also shown the disadvantage of 
their scheme. In future, we will improve their scheme to overcome the fatal error in login phase as 
well as eliminate the disadvantage of their scheme. 
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